In the Left pane on Restricted Groups, Right Click and select “Add Group“

In the Add Group, select browse and type Local Admin and then click “Check Names“

Click OK

Click Add under “This group is a member of:”

Add the “Administrators” Group.

Add “Remote Desktop Users”

Click OK twice

NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.

Step 4: Linking GPO

In Group policy management console, right click on the domain and select Link an Existing GPO

Select the Local Admin GPO

Step 5: Testing GPOs

Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Local Admin in that group now.

Tom and Bob help desk admins can now access all PCs remotely as a local administrator.